Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

clarification related to issue 108 added to CAMARA-API-access-and-user-consent.md #120

Merged
merged 11 commits into from
Feb 21, 2024
Merged

clarification related to issue 108 added to CAMARA-API-access-and-user-consent.md #120

Changes from 7 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
b15d8c8
Update CAMARA-API-access-and-user-consent.md
Elisabeth-Ericsson Feb 2, 2024
c9df3fe
Update CAMARA-API-access-and-user-consent.md
Elisabeth-Ericsson Feb 2, 2024
b9d9319
Update CAMARA-API-access-and-user-consent.md
Elisabeth-Ericsson Feb 2, 2024
3579061
API provider, typo
AxelNennker Feb 5, 2024
b2b37f4
API provider
AxelNennker Feb 5, 2024
aea5708
API producer
AxelNennker Feb 5, 2024
d3a186e
Update CAMARA-API-access-and-user-consent.md
Elisabeth-Ericsson Feb 5, 2024
addbb47
Update documentation/CAMARA-API-access-and-user-consent.md
Elisabeth-Ericsson Feb 5, 2024
a0f6a6a
API consumer as per communalities, do not mention TMForum
AxelNennker Feb 5, 2024
cd5c9d0
Update CAMARA-API-access-and-user-consent.md
Elisabeth-Ericsson Feb 5, 2024
2ded25a
Update documentation/CAMARA-API-access-and-user-consent.md
Elisabeth-Ericsson Feb 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions documentation/CAMARA-API-access-and-user-consent.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -379,6 +379,12 @@ More details about the standard flow can be found in the official IETF specifica

The purpose of this document section is to standardise the specification of `securitySchemes` and `security` across all CAMARA API subprojects with common mandatory guidelines as agreed by the Technical Steering Committee (TSC) and the participants of this Working Group.

CAMARA guidelines define a set of authorization flows which can grant API clients access to the API.
Elisabeth-Ericsson marked this conversation as resolved.
Show resolved Hide resolved
Which specific authorization flows are to be used will be determined during the onboarding process, happening between the API Client (the direct API invoker) and the API producer exposing the API. The API product order flow (preferably implemented with help of TMF 931) can consider the declared purpose for accessing the API, while also being subject to the prevailing legal framework dictated by local legislation and eventually also consider the capabilities of the application (frontend and backend) ultimately involved in the API invocation flow.
When leveraging on TMF 931 for API product ordering, the possible authorization flows should be configured on the API product specification used to build the API product offering. This configuration could be purpose dependent.
The authorization flow to be used will therefore be settled when the API product is ordered
The API invoker is expected to initiate the negotiated authorization flow when requesting ID & access tokens. The AuthZ server is responsible to validate that the authorization flow negotiated between API Invoker and API producer for this application, purpose, API/data scopes is applied.

### Use of openIdConnect for `securitySchemes`

In general, OpenID Connect is the protocol to be used for securitization. Each API specification must ONLY define the following openIdConnect entry in `securitySchemes`, as shown in document [CAMARA-AuthN-AuthZ-Concept.md](https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-AuthN-AuthZ-Concept.md#documentation-and-specs-):
Expand Down